sevecek-teched2014-web-application-proxy

Download Report

Transcript sevecek-teched2014-web-application-proxy 

Ing. Ondřej Ševeček | GOPAS a.s. |
MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker |
[email protected] | www.sevecek.com |
WEB APPLICATION PROXY
VS. TMG
Web Application Proxy
THREAT MANAGEMENT GATEWAY
VS. WAP
Threat Management Gateway
 Forward HTTP/S proxy
 Kerberos SSO authentication
 user/group based rules and logging
 HTTPS inspection
 Reverse HTTP/S proxy




TLS/SSL endpoint
HTTPS inspection
Basic, Forms, TLS certificate, AD FS authentication
Kerberos constrained delegation
 Stateful firewall
 IP/ICMP/TCP/UDP/GRE/AH/ESP/FTP
Web Application Proxy
 Forward HTTP/S proxy
 Kerberos SSO authentication
 user/group based rules and logging
 HTTPS inspection
 Reverse HTTP/S proxy




TLS/SSL endpoint
HTTPS inspection
Basic, Forms, TLS certificate, AD FS authentication
Kerberos constrained delegation
 Stateful firewall
 IP/ICMP/TCP/UDP/GRE/AH/ESP/FTP
TMG forward proxy
HTTP/S
Server
DC
HTTP/S
Client
HTTP/S
Client
HTTP/S
Client
HTTP/S
Client
TMG
Proxy
TMG/WAP reverse proxy
Browser
HTTP/S
Client
DC
GUI
HTTP/S
Client
CRM
Web
TLS Cert
Share
Point
TLS Cert
Exchange
OWA
TLS Cert
TLS Cert
TMG
Perimeter authentication
+ auth. forwarding
DC
Browser
HTTP/S
Client
GUI
HTTP/S
Client
CRM
Web
Share
Point
Exchange
OWA
TMG
TLS client certificate authentication
 TLS session establishes first
 Without client certificate no HTTP inside
 No password guessing
 Certificates mapped to user accounts
Web Application Proxy
REMOTE ACCESS COMPARED
Network Access Technologies
 VPN
 SMB/SQL/LDAP/DCOM sensitive to RTT
 Remote Desktop
 no clipboard, no file proliferation
 limited malware surface
 802.1x
 WiFi or Ethernet
 no encryption, authorization only
 DirectAccess
 GPO managed IPSec tunnel over IPv6
 Web Application Proxy
 HTTPS reverse proxy for web applications
VPN Scenario
VPN
Client
SQL
DC
FS
Share
Point
RDP
RADIUS
VPN
Gateway
DA Scenario
DA
Client
SQL
DC
FS
Share
Point
RDP
RADIUS
DA
Server
RDP Scenario
RDP
Client
SQL
DC
FS
Wks
Wks
Wks
Share
Point
RDP
RADIUS
RDP
Gateway
802.1x WiFi Scenario
SQL
DC
FS
Share
Point
WiFi AP
RDP
WiFi
Client
RADIUS
802.1x Ethernet Scenario
SQL
DC
FS
Share
Point
Wks
Switch
RDP
Wks
RADIUS
Printer
WAP Scenario
Web
Browser or
GUI client
Lync
Web
Share
Point
Exchange
AD FS
DC
Web
Application
Proxy
AD FS Proxy
VPN Compared
Protocol
Transport
Client
PPTP
TCP 1723
IP GRE
MS-DOS and newer
L2TP
SSTP
IKEv2
UDP 500, 4500
IP ESP
TCP 443
TLS
UDP 500, 4500
IP ESP
RRAS Server
Server
Requirements
NT 4.0 and newer
-
2000 and newer
IPSec certificate
public name
Public IP
2008 and newer
TLS certificate
public name
2008 R2 and
newer
IPSec certificate
public name
Public IP
-
NT 4.0, 98
and newer
IPSec machine
certificate
Vista/2008 and newer
-
7/2008 R2 and newer
IPSec machine
certificate
VPN Compared
Protocol
Transport
RD Gateway
TCP 443
TLS
Client
RRAS Server
Server
Requirements
RDP Client 6.0
and newer
2008 and newer
TLS certificate
public name
2012 and newer
IPSec certificate
TLS certificate
public name
2012 R2 and
newer WAP and
AD FS server
TLS certificate
public name
TLS certificate for
AD FS public
name
-
DirectAccess
Web
Application
Proxy
IPSec inside
IPv6 inside
TCP 443 TLS
or Teredo/6-to-4
HTTPS
7/2008 R2 Enteprise
IPv6 enabled, GPO
IPSec machine
certificate
web browser
GUI web client (office)
Web Application Proxy
WEB APPLICATION PROXY
Names and certificates
Web
Browser or
GUI client
http://intranet
Share
Point
Web
Application
Proxy
https://intranet.gopas.cz
https://adfs.gopas.cz
AD FS Proxy
AD FS
DC
https://adfs.gopas.cz
Service accounts
Web
Browser or
GUI client
sp-intranet-web
Share
Point
Web
Application
Proxy
Network Service
AD FS Proxy
AD FS
DC
svc-adfs
Network Service
Windows authentication
with passwords - overview
Share
Point
Kerberos
Exchange
Web
Application
Proxy
Cookie
Forms
AD FS Proxy
AD FS
DC
Basic
POST
Web
Browser or
GUI client
Windows authentication
with passwords - #1
Web
Browser or
GUI client
Share
Point
Exchange
Web
Application
Proxy
AD FS Proxy
AD FS
DC
Redirect 307
Windows authentication
with passwords - #2
Web
Browser or
GUI client
Share
Point
Exchange
Web
Application
Proxy
Forms
AD FS Proxy
AD FS
DC
Basic
POST
Windows authentication
with passwords - #3
Web
Browser or
GUI client
Share
Point
Exchange
Web
Application
Proxy
Claims
Redirect 302
AD FS Proxy
AD FS
DC
Claims
Windows authentication
with passwords - #4
Share
Point
Web
Browser or
GUI client
Kerberos
Exchange
Cookie
Web
Application
Proxy
AD FS Proxy
AD FS
DC
Claims
Windows authentication
with passwords - #5
Web
Browser or
GUI client
Share
Point
200 OK
Exchange
200 OK
Cookie
Web
Application
Proxy
AD FS Proxy
AD FS
DC
Cookie
Windows authentication
with TLS client certificate
Share
Point
Kerberos
Exchange
Web
Application
Proxy
Cookie
TLS Client Certificate
AD FS Proxy
AD FS
DC
TLS Client Certificate
TCP 49443
TCP 49443
Web
Browser or
GUI client
Claims authentication
Web
Browser or
GUI client
Share
Point
Claims
Cookie
Exchange
Claims
Cookie
Web
Application
Proxy
Forms
AD FS Proxy
AD FS
DC
Basic
POST
TLS Client Certificate
Web Application Proxy
LONG JOURNEY?
Long journey yet?
 Basic only with pass-through
 deprecated since AD FS 2.0
 no Basic fallback (GUI clients)
 No selection intranet/extranet
 No persistent cookies
 always the web page regardless of client (GUI)
 AD FS native support since Exchange 2013 SP1
 AD FS native support since SharePoint 2010
 no WebDAV support
 No inspection